diff --git a/.gitignore b/.gitignore
index e663629..46c45fe 100644
--- a/.gitignore
+++ b/.gitignore
@@ -72,3 +72,5 @@ libssh-0.4.4.tar.gz.asc
 /libssh-0.10.6.tar.xz.asc
 /libssh-0.11.1.tar.xz
 /libssh-0.11.1.tar.xz.asc
+/libssh-0.12.0.tar.xz
+/libssh-0.12.0.tar.xz.asc
diff --git a/libssh-0.11.1-CVE-2025-5318.patch b/libssh-0.11.1-CVE-2025-5318.patch
deleted file mode 100644
index 59e2525..0000000
--- a/libssh-0.11.1-CVE-2025-5318.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From b47ccd17559f79bfb2d6b94d2bf84856cf06259e Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Tue, 22 Apr 2025 21:18:44 +0200
-Subject: [PATCH] CVE-2025-5318: sftpserver: Fix possible buffer overrun
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
----
- src/sftpserver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/sftpserver.c b/src/sftpserver.c
-index 1afd8b2f..2aa28baa 100644
---- a/src/sftpserver.c
-+++ b/src/sftpserver.c
-@@ -704,7 +704,7 @@ void *sftp_handle(sftp_session sftp, ssh_string handle)
- 
-     memcpy(&val, ssh_string_data(handle), sizeof(uint32_t));
- 
--    if (val > SFTP_HANDLES) {
-+    if (val >= SFTP_HANDLES) {
-         return NULL;
-     }
- 
--- 
-2.50.1
-
diff --git a/libssh-0.11.1-fix-provider-loading.patch b/libssh-0.11.1-fix-provider-loading.patch
deleted file mode 100644
index 53170b7..0000000
--- a/libssh-0.11.1-fix-provider-loading.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-diff -up libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp libssh-0.11.1/tests/client/torture_auth_pkcs11.c
---- libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp	2024-10-25 11:58:50.341126170 +0200
-+++ libssh-0.11.1/tests/client/torture_auth_pkcs11.c	2024-10-25 12:11:01.766453259 +0200
-@@ -240,6 +240,14 @@ int torture_run_tests(void) {
-                                         session_teardown),
-     };
- 
-+    /* Do not use system openssl.cnf for the pkcs11 uri tests.
-+     * It can load a pkcs11 provider too early before we will set up environment
-+     * variables that are needed for the pkcs11 provider to access correct
-+     * tokens, causing unexpected failures.
-+     * Make sure this comes before ssh_init(), which initializes OpenSSL!
-+     */
-+    setenv("OPENSSL_CONF", "/dev/null", 1);
-+
-     ssh_init();
-     torture_filter_tests(tests);
-     rc = cmocka_run_group_tests(tests, sshd_setup, sshd_teardown);
-diff -up libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c
---- libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp	2024-10-25 11:59:22.964367137 +0200
-+++ libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c	2024-10-25 12:12:51.473625481 +0200
-@@ -563,6 +563,14 @@ int torture_run_tests(void) {
-     ssh_session session = ssh_new();
-     int verbosity = SSH_LOG_FUNCTIONS;
- 
-+    /* Do not use system openssl.cnf for the pkcs11 uri tests.
-+     * It can load a pkcs11 provider too early before we will set up environment
-+     * variables that are needed for the pkcs11 provider to access correct
-+     * tokens, causing unexpected failures.
-+     * Make sure this comes before ssh_init(), which initializes OpenSSL!
-+     */
-+    setenv("OPENSSL_CONF", "/dev/null", 1);
-+
-     ssh_init();
-     ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
- 
-diff -up libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c
---- libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp	2024-10-25 11:59:49.241336178 +0200
-+++ libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c	2024-10-25 12:12:10.985614709 +0200
-@@ -285,6 +285,14 @@ torture_run_tests(void)
-     ssh_session session = ssh_new();
-     int verbosity = SSH_LOG_FUNCTIONS;
- 
-+    /* Do not use system openssl.cnf for the pkcs11 uri tests.
-+     * It can load a pkcs11 provider too early before we will set up environment
-+     * variables that are needed for the pkcs11 provider to access correct
-+     * tokens, causing unexpected failures.
-+     * Make sure this comes before ssh_init(), which initializes OpenSSL!
-+     */
-+    setenv("OPENSSL_CONF", "/dev/null", 1);
-+
-     ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
-     ssh_init();
- 
diff --git a/libssh.spec b/libssh.spec
index 953fd7a..282577e 100644
--- a/libssh.spec
+++ b/libssh.spec
@@ -1,21 +1,15 @@
 Name:           libssh
-Version:        0.11.1
-Release:        3%{?dist}
+Version:        0.12.0
+Release:        1%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPL-2.1-or-later
 URL:            http://www.libssh.org
 
-Source0:        https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz
-Source1:        https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz.asc
+Source0:        https://www.libssh.org/files/0.12/%{name}-%{version}.tar.xz
+Source1:        https://www.libssh.org/files/0.12/%{name}-%{version}.tar.xz.asc
 Source2:        https://www.libssh.org/files/0x03D5DF8CFDD3E8E7_libssh_libssh_org_gpgkey.asc#/%{name}.keyring
 Source3:        libssh_client.config
 Source4:        libssh_server.config
-# Don't use global openssl.cnf for PKCS#11 URI Tests
-# https://gitlab.com/libssh/libssh-mirror/-/commit/46d74176
-Patch1:         libssh-0.11.1-fix-provider-loading.patch
-# Fix possible buffer overrun in the SFTP server
-# https://gitlab.com/libssh/libssh-mirror/-/commit/ae8881df
-Patch2:         libssh-0.11.1-CVE-2025-5318.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@@ -42,6 +36,9 @@ BuildRequires:  p11-kit-client
 BuildRequires:  opensc
 BuildRequires:  softhsm
 BuildRequires:  gnutls-utils
+BuildRequires:  libfido2-devel
+BuildRequires:  openssh-sk-dummy
+BuildRequires:  hostname
 
 Requires:       %{name}-config = %{version}-%{release}
 
@@ -90,6 +87,7 @@ The %{name}-config package provides the default configuration files for %{name}.
     -DGSSAPI_TESTING=ON \
     -DWITH_PKCS11_URI=ON \
     -DWITH_PKCS11_PROVIDER=ON \
+    -DWITH_FIDO2=ON \
     -DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
     -DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
 
@@ -145,6 +143,10 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
+* Tue Feb 10 2026 Pavol Žáčik <pzacik@redhat.com> - 0.12.0-1
+- Rebase to 0.12.0
+  Resolves: RHEL-133421, RHEL-70825, RHEL-130042
+
 * Tue Sep 30 2025 Pavol Žáčik <pzacik@redhat.com> - 0.11.1-3
 - Fix CVE-2025-5318
   Resolves: RHEL-111721
diff --git a/sources b/sources
index 27d9c90..3667ffe 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (libssh-0.11.1.tar.xz) = 284d376ad9ea30b0274b4ac754b27d168286dca862ece43ef15ca6d89e66865ad7a6703cc12dd4a8564a60b8449ae9b36e6496fd51d34cc27ac4030f6cf216d6
-SHA512 (libssh-0.11.1.tar.xz.asc) = 7d1a2f02a9abba5373b1a29a9097fef65e46ff3a22e36bcb3549066d69fbd8e2702ff3b6182bae931282d10256da2ca8a364935b068d6d5bc767d877572ee3e2
+SHA512 (libssh-0.12.0.tar.xz) = dd28483f391e36c9da0f0b8c469bc9e19f75dc1016d04e35930b1a28e0711fa02a1eae9ddeb95b9e48cb1fd3f2bc456789457bc092cf53d00d55b20257f082a2
+SHA512 (libssh-0.12.0.tar.xz.asc) = 2b24cc6d0a8accba4637978b9d9df49eaa432aa6394af7ee192e99df652049ec1a7b4c4e3951f6858ff2aa93a6cd9d48befbe1104724160d686eb2a20b6547ab